How can I group similar message in visualization

I can not understand how to group similar message in visualisation, i have field "message" in

and why in field don't have message . I want to do group message, I get message with time, it time different, me need divide time with text and show message in bar graph visualization
I think that it field can not aggregatable because it not selected
How can i changed it?

hi @Fedir_Yatseta,

you are right about the reason. Because the field is not aggregatable , you cannot run a group-by on it. The fix is to index this field not as an analyzed field (likely a text field in your mappung, but as a keyword field (https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html).

So to fix, you would need to re-index the data, but also index your message field as a keyword field. You can see some examples of this n the Kibana "Sample data"(https://www.elastic.co/guide/en/kibana/current/tutorial-sample-data.html).

Hi @thomasneirynck thanks for your help.
I finded the next exit from this problem.
In setting filebeat i changed config file "config.yaml" made logs in logstash and parsive in parts

and now i had the next vizualization

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.